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Matthew  T.  Walsh,  Esq.  (Bar  No.  208169) 
CARROLL,  McNULTY  &  KULL  LLC 

100  North  Riverside  Plaza,  Suite  2100 
Chicago,  Illinois  60606 
Telephone:  (312)  800-5000 
Facsimile:  (312)  800-5010 
Email:  mwalsh@cmk.com 


Attorneys  for  Plaintiff  COLUMBIA  CASUALTY  COMPANY 

UNITED  STATES  DISTRICT  COURT 
FOR  THE  CENTRAL  DISTRICT  OF  CALIFORNIA 


COLUMBIA  CASUALTY  COMPANY 


Plaintiff, 


v. 


COTTAGE  HEALTH  SYSTEM 


Defendant. 


Case  No.:  2:15-cv-03432 

COMPLAINT  FOR 
DECLARATORY 

JUDGMENT  AND  REIMBURSEMENT 
OF  DEFENSE  AND  SETTLEMENT 
PAYMENTS 


Plaintiff  COLUMBIA  CASUALTY  COMPANY  (hereinafter  "Columbia")  by  and 
through  its  attorneys,  as  and  for  Complaint  against  Defendant,  hereby  allege  as  follows: 

INTRODUCTION 

1.  This  is  a  Complaint  for  Declaratory  Judgment  pursuant  to  28  U.S.C.  §  2201  and 
for  Reimbursement  of  Defense  and  Settlement  Payments  made  by  Columbia  on  behalf  of  its 
insured. 

2.  This  matter  arises  out  of  a  data  breach  that  resulted  in  the  release  of  electronic 
private  healthcare  patient  information  stored  on  network  servers  owned,  maintained  and/or 
utilized  by  defendant  COTTAGE  HEALTH  SYSTEM  ("Cottage"). 

3.  Cottage  operates  a  network  of  hospitals  located  in  Southern  California, 
including  Santa  Barbara  Cottage  Hospital,  Goleta  Valley  Cottage  Hospital  and  Santa  Ynez 
Valley  Cottage  Hospital  (collectively,  the  "Hospitals.") 
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4.  Following  the  data  breach,  a  class  action  lawsuit  was  commenced  against 
Cottage  in  which  the  plaintiffs  asserted  claims  against  Cottage  and  others  based  on  its  alleged 
breach  of  California's  Confidentiality  of  Medical  Information  Act  ("CMIA"),  California  Civil 
Code  §56,  et  seq.  A  settlement  has  been  reached  in  the  class  action  lawsuit  for  the  amount  of 
$4,125  million. 

5.  Columbia  has  agreed  to  fund  the  $4,125  million  class  action  settlement,  subject 
to  a  complete  reservation  of  rights. 

6.  The  data  breach  is  also  the  subject  of  an  ongoing  investigation  conducted  by  the 
California  Department  of  Justice  regarding  Cottage's  potential  violations  of  the  federal  Health 
Insurance  Portability  and  Accountability  Act  ("HIPAA.") 

7.  Columbia  issued  a  liability  policy  to  Cottage  providing  claims  made  coverage 
for  the  October  1,  2013  to  October  1,  2014  policy  period. 

8.  Columbia  seeks  a  declaration  that  it  is  not  obligated  to  provide  Cottage  with  a 
defense  or  indemnification  in  connection  with  any  and  all  claims  stemming  from  the  data 
breach  at  issue. 

9.  Columbia  also  seeks  a  declaration  of  its  entitlement  to  reimbursement  in  full 
from  Cottage  for  any  and  all  attorney's  fees  or  related  costs  or  expenses  Columbia  has  paid  or 
will  pay  in  connection  with  the  defense  and  settlement  of  the  class  action  lawsuit  and  any 
related  proceedings  and  an  award  of  damages  consistent  with  such  declaration. 

PARTIES,  JURISDICTION  AND  VENUE 

10.  Columbia  is  a  corporation  organized  and  existing  under  the  laws  of  the  State  of 
Illinois  and  having  its  principal  place  of  business  located  at  CNA  Plaza,  Chicago,  Illinois. 
Columbia  is  in  the  business  of  providing  and  underwriting  insurance.  Columbia  is,  and  at  all 
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times  relevant  to  this  Complaint  was,  duly  authorized  to  transact  business  in  the  State  of 
California. 

11.  Upon  information  and  belief,  Cottage  is  a  California  organization  with  its 
principal  place  of  business  located  at  400  West  Pueblo  Street,  Santa  Barbara,  California  93105. 

12.  This  litigation  is  a  civil  action  over  which  this  Court  has  original  diversity 
jurisdiction  pursuant  to  28  U.S.C.  §  1332(a)(2)  based  on  diversity  of  the  parties  and  the  amount 
in  controversy. 

13.  The  amount  in  controversy  in  this  matter  exceeds  $75,000.  Columbia  seeks  a 
declaration  that  it  is  not  obligated  to  provide  coverage  to  Cottage  for  any  portion  of  a  $4,125 
million  class  action  settlement,  as  well  as  additional  potential  regulatory  liability. 

14.  The  insurance  contract  between  Columbia  and  Cottage  that  is  the  subject  of  this 
declaratory  judgment  action  was  issued  to  Cottage  in  this  District.  Further,  the  alleged  acts  and 
omissions  on  the  part  of  Cottage  that  precipitated  the  claims  for  which  coverage  is  sought  took 
place  in  this  District.  Therefore,  venue  is  proper  in  this  District  pursuant  to  28  U.S.C.  §  1391. 

FACTUAL  BACKGROUND 

A.       The  Underlying  Action 

15.  On  or  about  January  27,  2014,  a  proposed  class  action  was  commenced  in 
California  Superior  Court,  Orange  County  styled  Kenneth  Rice,  et  al.  v.  INSYNC,  Cottage 
Health  System,  et  al.,  Case  No.  30-2014-00701 147-CU-NP-CJC  (the  "Underlying  Action"). 

16.  The  complaint  alleges  that  between  October  8,  2013  and  December  2,  2013, 
confidential  medical  records  of  approximately  32,500  of  Cottage's  Hospitals'  patients  that 
were  stored  electronically  on  Cottage's  servers  were  disclosed  to  the  public  via  the  internet. 
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17.  The  complaint  alleges  that  the  breach  occurred  because  Cottage  and/or  its  third- 
party  vendor,  INSYNC  Computer  Solution,  Inc.  ("INSYNC"),  stored  medical  records  on  a 
system  that  was  fully  accessible  to  the  internet  but  failed  to  install  encryption  or  take  other 
security  measures  to  protect  patient  information  from  becoming  available  to  anyone  who 
"surfed"  the  internet. 

18.  The  complaint  alleges  that  Cottage  violated  its  nondelegable  duties  under  CMIA 
and  HIPAA  to  maintain  the  security  of  its  patients'  confidential  medical  records  and  to  detect 
and  prevent  data  breaches  on  its  system  that  would  allow  such  information  to  become  available 
to  the  public  through  the  internet. 

19.  On  or  about  December  24,  2014,  the  Court  in  the  Underlying  Action  granted  the 
class  representative's  motion  for  Preliminary  Approval  of  Proposed  Class  Action  Settlement. 
The  proposed  settlement  involves  creation  of  a  $4,125  million  settlement  fund  for  payments  to 
approximately  50,917  Settlement  class  members,  along  with  related  expenses  and  attorneys' 
fees. 

20.  Upon  information  and  belief,  INSYNC  does  not  maintain  sufficient  liquid  assets 
to  contribute  towards  the  proposed  settlement  fund  and  does  not  maintain  liability  insurance 
that  applies  with  respect  to  the  privacy  claims  asserted  in  the  Underlying  Action. 

21.  Columbia  has  agreed  to  fund  the  $4,125  million  settlement  of  the  Underlying 
Action  on  behalf  of  Cottage,  subject  to  a  complete  reservation  of  rights,  including  the  right  to 
seek  reimbursement  of  any  funds  paid  or  advanced  on  Cottage's  behalf  pending  a  resolution  of 
the  instant  coverage  dispute. 
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B.  The  California  Department  of  Justice  Investigation 

22.  The  data  breach  alleged  in  the  Underlying  Action  is  also  the  subject  of  a 
pending  investigation  by  the  California  Department  of  Justice  ("DOJ")  (the  "DOJ 
Proceeding").  The  DOJ  Proceeding  will  determine  whether  Cottage  complied  with  its 
obligations  under  HIPAA  and  any  other  pertinent  state  and  federal  laws  and  may  potentially 
result  in  the  imposition  of  fines,  sanctions  or  penalties. 

C.  The  Columbia  Policy 

23.  Columbia  issued  a  "NetProtect360"  claims-made  liability  policy  to  Cottage  in 
effect  from  October  1,  2013  through  October  1,  2014,  under  policy  number  425565140-02  (the 
"Columbia  Policy"). 

24.  As  relevant  here,  the  Columbia  Policy  provides  coverage  for  Privacy  Injury 
Claims  and  Privacy  Regulation  Proceedings  with  limits  of  $10,000,000  each  claim  or 
proceeding  and  $10,000,000  in  the  aggregate  for  all  Claims  -  subject  to  a  $100,000  deductible 
(the  "Columbia  Policy.")  Coverage  for  Privacy  Injury  Claims  is  subject  to  a  "Prior  Acts"  date 
of  May  27,2012. 

25.  The  Columbia  Policy  contains  the  following  relevant  Insuring  Agreement 
provisions: 

A.  Insuring  Agreements 

If  the  insuring  Agreement  has  been  purchased,  as  indicated  in 
the  Declarations,  the  Insurer  will  pay  on  behalf  of  the  Insured 
all  sums  in  excess  of  the  Deductible  and  up  to  the  applicable 
limit  of  insurance  that  the  Insured  shall  become  legally 
obligated  to  pay: 

*        *  * 
2.  Privacy  Injury  Liability 

A.  Privacy  Injury  Claim 
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as  Damages  resulting  from  any  Privacy  Injury  Claim 
both  first  made  against  the  Insured  and  reported  to  the 
Insurer  in  writing  during  the  Policy  Period,  or  any 
Extended  Reporting  Period,  if  applicable,  alleging  any 
Wrongful  Act  by  the  insured,  or  by  someone  for  whose 
Wrongful  Act  the  Insured  is  legally  responsible; 

B.  Privacy  Regulation  Proceeding 

as  Damages  and  Claim  Expenses  resulting  from  any 
Privacy  Regulation  Proceeding  both  first  made  against 
the  Insured  and  reported  to  the  Insurer  in  writing  during 
the  Policy  Period,  or  any  Extended  Reporting  Period,  if 
applicable,  alleging  any  Wrongful  Act  by  the  Insured  or 
by  someone  for  whose  Wrongful  Act  the  Insured  is 
legally  responsible; . . . 

26.  The  Columbia  Policy  contains  the  following  relevant  exclusion: 

Whether  in  connection  with  any  First  Party  Coverage  or  any 
Liability  Coverage,  the  Insurer  shall  not  be  liable  to  pay  any  Loss: 

*         *  * 

0.  Failure  to  Follow  Minimum  Required  Practices 

based  upon,  directly  or  indirectly  arising  out  of,  or  in  any 
way  involving: 

1.  Any  failure  of  an  Insured  to  continuously  implement 
the  procedures  and  risk  controls  identified  in  the 
Insured's  application  for  this  Insurance  and  all  related 
information  submitted  to  the  Insurer  in  conjunction 
with  such  application  whether  orally  or  in  writing;. . . 

27.  The  Columbia  Policy  contains  the  following  relevant  conditions: 

1.  Application 

1.  The  Insureds  represent  and  acknowledge  that  the 
statements  contained  on  the  Declarations  and  in  the 
Application,  and  any  materials  submitted  or  required  to  be 
submitted  therewith  (all  of  which  shall  be  maintained  on 
file  by  the  Insurer  and  be  deemed  attached  to  and 
incorporated  into  this  Policy  as  if  physically  attached),  are 
the  Insured's  representations,  are  true  and:  (i)  are  the  basis 
of  this  Policy  and  are  to  be  considered  as  incorporated  into 
and  constituting  a  part  of  this  Policy;  and    (ii)  shall  be 
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deemed  material  to  the  acceptance  of  this  risk  or  the  hazard 
assumed  by  the  Insurer  under  this  Policy.  This  Policy  is 
issued  in  reliance  upon  the  truth  of  such  representations. 

2.  This  Policy  shall  be  null  and  void  if  the  Application 
contains  any  misrepresentation  or  omission: 

a.  made  with  the  intent  to  deceive,  or 

b.  which  materially  affects  either  the  acceptance  of  the 
risk  or  the  hazard  assumed  by  the  Insurer  under  the 
Policy. 

*         *  * 
Q.  Minimum  Required  Practices 

The  Insured  warrants,  as  a  condition  precedent  to  coverage 
under  this  Policy,  that  is  shall: 

1.  follow  the  Minimum  Required  Practices  that  are  listed  in 
the  Minimum  Required  Practices  endorsement  as  a 
condition  of  coverage  under  this  policy,  and 

2.  maintain  all  risk  controls  identified  in  the  Insured's 
Application  and  any  supplemental  information  provided  by 
the  Insured  in  conjunction  with  Insured's  Application  for 
this  Policy. 

28.      The  Columbia  Policy  contains  the  following  relevant  definitions: 

Application  means  all  signed  applications  for  this  Policy  and  for 
any  policy  in  an  uninterrupted  series  of  policies  issued  by  the 
Insurer  or  any  affiliate  of  the  Insurer  of  which  this  Policy  is  a 
renewal  or  replacement.  Application  includes  any  materials 
submitted  or  required  to  be  submitted  therewith.  An  affiliate  of  the 
Insurer  means  an  entity  controlling,  controlled  by  or  under 
common  control  with  the  Insurer. 

*  *  * 

Damages  means  civil  awards,  settlements  and  judgments...  which 
the  Insureds  are  legally  obligated  to  pay  as  a  result  of  a  covered 
Claim.  Damages  shall  not  include: 

*  *  * 

B.  criminal,  civil,  administrative  or  regulatory  relief,  fines  or 
penalties; 
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*  *  * 

D.  injunctive  or  declaratory  relief; 

E.  matters  which  are  uninsurable  as  a  matter  of  law;  or 

*  *  * 

Notwithstanding  the  foregoing  paragraph,  Damages  shall  include... 
punitive,  exemplary  and  multiplied  damages.  Enforceability  of  this 
paragraph  shall  be  governed  by  such  applicable  law  that  most 
favors  coverage  for  such  punitive,  exemplary  and  multiple 
damages. 

*  *  * 

Privacy  Regulation  Proceeding  means  a  civil,  administrative  or 
regulatory  proceeding  against  an  Insured  by  a  federal,  state  or 
foreign  governmental  authority  alleging  violation  of  any  law 
referenced  under  the  definition  of  Privacy  Injury  or  a  violation  of  a 
Security  Breach  Notice  Law. 


D.       The  Columbia  Policy  Application 

29.  As  part  of  the  application  submitted  in  connection  with  the  Columbia  Policy, 
Cottage  completed  and  submitted  a  "Risk  Control  Self  Assessment"  in  which  it  made  the 
following  relevant  representations: 

4.  Do  you  check  for  security  patches  to  your  systems  at  least  weekly 
and  implement  them  within  30  days?  •  Yes 

5.  Do  you  replace  factory  default  settings  to  ensure  your  information 
security  systems  are  securely  configured?  •  Yes 

6.  Do  you  re-assess  your  exposure  to  information  security  and 
privacy  threats  at  least  yearly,  and  enhance  your  risk  controls  in 
response  to  changes?  •  Yes 

1 1 .  Do  you  outsource  your  information  security  management  to  a 
qualified  firm  specializing  in  security  or  have  staff  responsible  for 
and  trained  in  information  security?  •  Yes 

12.  Whenever  you  entrust  sensitive  information  to  3rd  parities  do 
you... 

a.  contractually  require  all  such  3rd  parties  to  protect  this 
information  with  safeguards  at  least  as  good  as  your  own 

•  Yes 

b.  perform  due  diligence  on  each  such  3rd  party  to  ensure  that 
their  safeguards  for  protecting  sensitive  information  meet  your 
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standards  (e.g.  conduct  security/privacy  audits  or  review 
findings  of  independent  security/privacy  auditors)        •  Yes 

c.  Audit  all  such  3rd  parities  at  least  once  per  year  to  ensure  that 
they  continuously  satisfy  your  standards  for  safeguarding 
sensitive  information?  •  Yes 

d.  Require  them  to  either  have  sufficient  liquid  assets  or 
maintain  enough  insurance  to  cover  their  liability  arising  from 
a  breach  of  privacy  or  confidentiality.  •  Yes 

13.  Do  you  have  a  way  to  detect  unauthorized  access  or  attempts  to 
access  sensitive  information?  •  Yes 

23.  Do  you  control  and  track  all  changes  to  your  network  to  ensure  it 
remains  secure?  •  Yes 

30.  Upon  information  and  belief,  Cottage  provided  false  responses  to  the  foregoing 
questions  when  applying  for  coverage  from  Columbia. 

31.  Cottage's   application   for  the   Columbia  Policy   contains   the  following 
"Warranty:" 

Applicant  hereby  declares  after  inquiry,  that  the  information  contained 
herein  and  in  any  supplemental  applications  or  forms  required  hereby, 
are  true,  accurate  and  complete,  and  that  no  material  facts  have  been 
suppressed  or  misstated.  Applicant  acknowledges  a  continuing 
obligation  to  report  to  the  CNA  Company  to  whom  this  Application  is 
made  ("the  Company")  as  soon  as  practicable  any  material 
changes... all  such  information,  after  signing  the  application  and  prior 
to  issuance  of  this  policy,  and  acknowledges  that  the  Company  shall 
have  the  right  to  withdraw  or  modify  any  outstanding  quotations 
and/or  authorization  or  agreement  to  bind  the  insurance  based  upon 
such  changes. 

Further,  Applicant  understands  and  acknowledges  that: 

*         *  * 

2)  If  a  policy  is  issued,  the  Company  will  have  relied  upon,  as 
representations,  this  application,  any  supplemental  applications  and 
any  other  statements  furnished  to  this  Company  in  conjunction  with 
this  application. 

3)  All  supplemental  applications,  statements  and  other  materials 
furnished  to  the  Company  in  conjunction  with  this  application  are 
hereby  incorporated  by  reference  into  this  application  and  made  a  part 
thereof. 
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4)  This  application  will  be  the  basis  of  the  contract  and  will  be 
incorporated  by  referenced  into  and  made  a  part  of  such  policy. 

E.       Claim  Investigation 

32.  Columbia  was  originally  notified  of  the  data  breach  issue  on  December  3,  2013. 
By  letter  dated  January  29,  2014,  Columbia  acknowledged  receipt  of  the  claim  and  reserved 
rights  under  the  Columbia  Policy.  Specifically,  Columbia  explained  that  the  liability  coverage 
provided  under  the  Columbia  Policy  had  not  been  triggered  because  Cottage  had  not  yet 
received  a  demand  for  monetary  damages  or  notice  of  a  potential  regulatory  fine  associated 
with  the  data  breach  and  advised  Cottage  to  provide  immediate  notice  upon  receipt  of  any  such 
claim. 

33.  Columbia  was  then  notified  of  the  Underlying  Action  on  January  29,  2014.  By 
letter  dated  February  20,  2014,  Columbia  supplemented  its  reservation  of  rights  to  include  the 
claims  asserted  in  the  Underlying  Action.  Based  on  the  allegations  in  the  complaint  in  the 
Underlying  Action,  Columbia  reserved  the  right  to  disclaim  coverage  pursuant  to  the  Columbia 
Policy's  "Failure  to  Follow  Minimum  Required  Practices"  exclusion,  among  other  grounds. 

34.  Columbia  thereafter  issued  further  supplemental  reservation  of  rights  letters  on 
July  9,  2014  addressing  Cottage's  deductible  and  coinsurance  obligations  and  September  17, 
2014  addressing  additional  and/or  alternative  coverage  defenses  that  became  apparent  as  its 
claim  investigation  proceeded. 

35.  Prior  to  funding  the  $4,125  million  settlement  of  the  Underlying  Action, 
Columbia  advised  Cottage  that  its  agreement  to  fund  the  settlement  was  made  subject  to  a  full 
and  complete  reservation  of  rights  under  the  Columbia  Policy  and  applicable  law  to  disclaim 
coverage  and  seek  reimbursement  in  full  from  Cottage  for  any  and  all  amounts  paid  towards 
settlement  of  the  Underlying  Action,  along  with  any  and  all  attorney's  fees  or  related  costs  or 
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expenses  Columbia  has  paid  or  will  pay  in  connection  with  the  same,  pending  a  resolution  of 
the  instant  coverage  dispute. 

36.  A  dispute  has  arisen  as  to  the  existence  and  scope  of  any  obligation  on  the  part 
of  Columbia  to  Cottage  under  the  Columbia  Policy  in  connection  with  the  claims  at  issue  in  the 
Underlying  Action  and  the  DOJ  Proceeding. 

37.  Columbia  seeks  declaration  that  it  has  no  duty  to  defend  or  indemnify  Cottage 
in  the  Underlying  Action  or  the  DOJ  Proceeding 

38.  Therefore,  an  actual  and  justiciable  controversy  exists  regarding  the  nature  and 
scope  of  the  insurance  coverage  potentially  owed  to  Cottage. 

FIRST  CAUSE  OF  ACTION 
(Declaratory  Relief) 

39.  Columbia  repeats,  reiterates  and  realleges  each  and  every  allegation  of  the 
preceding  paragraphs  as  if  set  forth  herein,  verbatim  and  fully  at  length. 

40.  The  Columbia  Policy  contains  an  exclusion  entitled  "Failure  to  Follow 
Minimum  Required  Practices"  that  precludes  coverage  for  any  loss  based  upon,  directly  or 
indirectly  arising  out  of,  or  in  any  way  involving  "[a]ny  failure  of  an  Insured  to  continuously 
implement  the  procedures  and  risk  controls  identified  in  the  Insured's  application  for  this 
Insurance  and  all  related  information  submitted  to  the  Insurer  in  conjunction  with  such 
application  whether  orally  or  in  writing." 

41.  Upon  information  and  belief,  the  data  breach  at  issue  in  the  Underlying  Action 
and  the  DOJ  Proceeding  was  caused  as  a  result  of  File  Transfer  Protocol  settings  on  Cottage's 
internet  servers  that  permitted  anonymous  user  access,  thereby  allowing  electronic  personal 
health  information  to  become  available  to  the  public  via  Google's  internet  search  engine. 
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42.  Upon  information  and  belief,  the  data  breach  at  issue  in  the  Underlying  Action 
and  the  DOJ  Proceeding  was  caused  by  Cottage's  failure  to  continuously  implement  the 
procedures  and  risk  controls  identified  in  its  application,  including,  but  not  limited  to,  its 
failure  to  replace  factory  default  settings  its  failure  to  ensure  that  its  information  security 
systems  were  securely  configured,  among  other  things. 

43.  Upon  information  and  belief,  the  data  breach  at  issue  in  the  Underlying  Action 
and  the  DOJ  Proceeding  was  caused  by  Cottage's  failure  to  regularly  check  and  maintain 
security  patches  on  its  systems,  its  failure  to  regularly  re-assess  its  information  security 
exposure  and  enhance  risk  controls,  its  failure  to  have  a  system  in  place  to  detect  unauthorized 
access  or  attempts  to  access  sensitive  information  stored  on  its  servers  and  its  failure  to  control 
and  track  all  changes  to  its  network  to  ensure  it  remains  secure,  among  other  things. 

44.  Accordingly,  Columbia  is  entitled  to  a  declaration  that  it  is  not  obligated  to 
defend  or  indemnify  Cottage  in  connection  with  the  Underlying  Action  or  the  DOJ  Proceeding 
and  that  coverage  for  the  claims  and  potential  damages  at  issue  in  the  Underlying  Action  and 
the  DOJ  Proceeding  is  precluded  pursuant  to  the  Columbia  Policy's  Failure  to  Follow 
Minimum  Required  Practices"  exclusion. 

SECOND  CAUSE  OF  ACTION 
(Declaratory  Relief) 

45.  Columbia  repeats,  reiterates  and  realleges  each  and  every  allegation  of  the 
preceding  paragraphs  as  if  set  forth  herein,  verbatim  and  fully  at  length. 

46.  The  Columbia  Policy's  insuring  agreement  for  a  Privacy  Regulation  Proceeding 
applies  with  respect  to  Cottage's  liability  for  "Damages  and  Claim  Expenses  resulting  from 
any  Privacy  Regulation  Proceeding." 
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47.  The  term  "Damages"  is  defined  under  the  Columbia  Policy  to  mean  "civil 
awards,  settlements  and  judgments...  which  the  Insureds  are  legally  obligated  to  pay  as  a  result 
of  a  covered  Claim,"  but  does  not  include  "criminal,  civil,  administrative  or  regulatory  relief, 
fines  or  penalties." 

48.  The  DO  J  Proceeding  will  determine  whether  Cottage  complied  with  its 
obligations  under  HIPAA  and  any  other  pertinent  state  and  federal  laws  and  may  result  in  the 
imposition  of  civil,  administrative  or  regulatory  relief,  fines  or  penalties  against  Cottage. 

49.  Accordingly,  Columbia  is  entitled  to  a  declaration  that  it  is  not  obligated  to 
defend  or  indemnify  Cottage  in  connection  with  the  DOJ  Proceeding  as  any  sanctions  imposed 
or  other  relief  awarded  or  in  the  DOJ  Proceeding  would  not  involve  covered  Damages  under 
the  Columbia  Policy. 

THIRD  CAUSE  OF  ACTION 
(Declaratory  Relief) 

50.  Columbia  repeats,  reiterates  and  realleges  each  and  every  allegation  of  the 
preceding  paragraphs  as  if  set  forth  herein,  verbatim  and  fully  at  length. 

51.  The  Columbia  Policy's  "Application"  condition  provides  that  the  Columbia 
Policy  "shall  be  null  and  void  if  the  Application  contains  any  misrepresentation  or  omission:  a. 
made  with  the  intent  to  deceive,  or  b.  which  materially  affects  either  the  acceptance  of  the  risk 
or  the  hazard  assumed  by  the  Insurer  under  the  Policy." 

52.  The  Columbia  Policy's  "Minimum  Required  Practices"  condition  provides  that, 
as  a  "condition  precedent  to  coverage,"  Cottage  warrants  that  it  shall  "maintain  all  risk  controls 
identified  in  the  Insured's  Application  and  any  supplemental  information  provided  by  the 
Insured  in  conjunction  with  Insured's  Application  for  this  Policy." 
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53.  Upon  information  and  belief,  Cottage's  application  for  coverage  under  the 
Columbia  Policy  contained  misrepresentations  and/or  omissions  of  material  fact  that  were 
made  negligently  or  with  intent  to  deceive  concerning  Cottage's  data  breach  risk  controls. 

54.  Upon  information  and  belief,  the  data  breach  at  issue  in  the  Underlying  Action 
and  the  DOJ  Proceeding  was  caused  by  Cottage's  failure  to  maintain  the  risk  controls 
identified  in  its  application,  including,  but  not  limited  to,  its  failure  to  replace  factory  default 
settings  to  ensure  that  its  information  security  systems  were  securely  configured. 

55.  Accordingly,  Columbia  is  entitled  to  a  declaration  that  it  is  not  obligated  to 
defend  or  indemnify  Cottage  in  connection  with  the  Underlying  Action  or  the  DOJ  Proceeding 
based  on  Cottage's  breaches  of  the  Columbia  Policy's  "Application"  and  "Minimum  Required 
Practices"  conditions. 

FOURTH  CAUSE  OF  ACTION 
(Reimbursement  of  Defense  and  Settlement  Payments) 

56.  Columbia  repeats,  reiterates  and  realleges  each  and  every  allegation  of  the 
preceding  paragraphs  as  if  set  forth  herein,  verbatim  and  fully  at  length. 

57.  Columbia  agreed  to  participate  in  Cottage's  defense  in  the  Underlying  Action 
and  to  fund  the  $4,125  million  settlement  of  the  Underlying  Action  subject  to  a  complete 
reservation  of  rights,  including  the  right  to  seek  reimbursement  of  any  funds  paid  or  advanced 
on  Cottage's  behalf  pending  a  resolution  of  the  instant  coverage  dispute. 

58.  To  the  extent  that  the  Columbia  Policy  does  not  provide  coverage  for  the  claims 
asserted  in  the  Underlying  Action,  Columbia  is  entitled  to  reimbursement  from  Cottage  for  the 
full  amount  of  the  $4,125  million  Columbia  paid  in  settlement  of  the  Underlying  Action,  along 
with  any  and  all  defense  costs,  attorney's  fees  or  related  costs  or  expenses  incurred  by 
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Columbia  on  Cottage's  behalf,  pursuant  to  Blue  Ridge  Ins.  Co.  v.  Jacobsen,  25  Cal  4th  489 
(2001). 

WHEREFORE,  Plaintiff,  Columbia  Casualty  Company,  prays  for  the  following  relief: 

(a)  For  a  declaration  that  Columbia  is  not  obligated  to  provide  Cottage  with  coverage 
for  any  damages  awarded,  sanctions  imposed  or  any  other  relief  directed  in  the 
Underlying  Action  and  the  DOJ  Proceeding; 

(b)  For  a  declaration  that  Columbia  is  not  obligated  to  provide  Cottage  with  coverage 
for  any  defense  costs  or  claim  expenses  incurred  in  connection  with  the 
Underlying  Action  and  the  DOJ  Proceeding; 

(c)  For  a  declaration  that  Cottage  is  obligated  to  reimburse  Columbia  for  any  and  all 
sums  Columbia  paid  on  Cottage's  behalf  in  connection  with  the  Underlying 
Action,  along  with  any  and  all  defense  costs,  attorney's  fees  or  related  costs  or 
expenses  incurred  by  Columbia  on  Cottage's  behalf,  including,  but  not  limited  to, 
the  $4,125  million  settlement; 

(d)  For  an  award  of  Columbia's  attorneys'  fees  and  costs  pursuant  to  law;  and 

(e)  For  such  other  relief  as  is  just  and  equitable  herein. 

Dated:  May  7,  2015 

CARROLL,  McNULTY  &  KULL  LLC 


BY:       /s/  Matthew  T.  Walsh  

Matthew  T.  Walsh,  Esq. 

Attorneys  for  Plaintiff 

100  North  Riverside  Plaza,  Suite  2100 

Chicago,  Illinois  60606 

(312)  800-5000  (tel.) 

(312)  800-5010  (fax) 

mwalsh@cmk.com 
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